DragonFly bugs List (threaded) for 2006-04
[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index][Thread Index]

IPSEC/FAST_IPSEC panic.

From:	Gary Allan <dragonfly@xxxxxxxxxxxxxxx>
Date:	Sat, 22 Apr 2006 16:47:03 +0100

I have been experiencing panics when testing IPSEC under HEAD. The Kernel panics when sending or receiving Authentication Headers (AH) and TCP connections encapsulated in ESP time out.

I've made some progress resolving the panic but I can't get IPSEC or FAST_IPSEC to work correctly. I've gone through the ipsec code looking for any glaring errors. Any help would be appreciated.

Regards

Gary

Communication between DragonFly Head and FreeBSD 4/6 using IPSEC.


options IPSEC
options	IPSEC_ESP

IPSEC AH	ICMP, UDP and TCP are working between PCs.
IPSEC ESP	ICMP and UDP work. TCP connections time out.
IPSEC AH-ESP	ICMP and UDP work. TCP connections time out.

options FAST_IPSEC

IPSEC AH	Kernel panic.
IPSEC ESP	ICMP, UDP and TCP are working between PCs.
IPSEC AH-ESP	Kernel panic.

flush;
spdflush;

add 192.168.20.4 192.168.20.6 ah 15700 -A hmac-md5 "1234567890123456";
add 192.168.20.6 192.168.20.4 ah 24500 -A hmac-md5 "1234567890123456";

add 192.168.20.4 192.168.20.6 esp 15701 -E rijndael-cbc "123456789012345678901234";
add 192.168.20.6 192.168.20.4 esp 24501 -E rijndael-cbc "123456789012345678901234";

spdadd 192.168.20.4 192.168.20.6 any -P out ipsec 
	esp/transport//require
	ah/transport//require;

Index: sys/netproto/ipsec/ipsec.c
===================================================================
RCS file: /home/dcvs/src/sys/netproto/ipsec/ipsec.c,v
retrieving revision 1.13
diff -u -r1.13 ipsec.c
--- sys/netproto/ipsec/ipsec.c	14 Jan 2006 13:36:40 -0000	1.13
+++ sys/netproto/ipsec/ipsec.c	22 Apr 2006 12:01:51 -0000
@@ -672,7 +672,7 @@
 			spidx->dst.sin.sin_port = uh.uh_dport;
 			return;
 		case IPPROTO_AH:
-			if (m->m_pkthdr.len > off + sizeof(ip6e))
+			if (off + sizeof(ip6e) > m->m_pkthdr.len)
 				goto done;
 			/* XXX sigh, this works but is totally bogus */
 			m_copydata(m, off, sizeof(ip6e), (caddr_t) &ip6e);
Index: sys/netproto/ipsec/keysock.c
===================================================================
RCS file: /home/dcvs/src/sys/netproto/ipsec/keysock.c,v
retrieving revision 1.11
diff -u -r1.11 keysock.c
--- sys/netproto/ipsec/keysock.c	14 Jan 2006 13:36:40 -0000	1.11
+++ sys/netproto/ipsec/keysock.c	19 Apr 2006 18:00:36 -0000
@@ -48,6 +48,7 @@
 #include <sys/socketvar.h>
 #include <sys/sysctl.h>
 #include <sys/systm.h>
+#include <sys/thread2.h>
 
 #include <net/raw_cb.h>
 #include <net/route.h>
Index: sys/netproto/ipsec/xform_ipcomp.c
===================================================================
RCS file: /home/dcvs/src/sys/netproto/ipsec/xform_ipcomp.c,v
retrieving revision 1.7
diff -u -r1.7 xform_ipcomp.c
--- sys/netproto/ipsec/xform_ipcomp.c	10 Jun 2005 23:59:31 -0000	1.7
+++ sys/netproto/ipsec/xform_ipcomp.c	19 Apr 2006 17:46:55 -0000
@@ -40,6 +40,7 @@
 #include <sys/kernel.h>
 #include <sys/protosw.h>
 #include <sys/sysctl.h>
+#include <sys/thread2.h>
 
 #include <netinet/in.h>
 #include <netinet/in_systm.h>

Follow-Ups:
- Re: IPSEC/FAST_IPSEC panic.
  - From: Matthew Dillon
- Re: IPSEC/FAST_IPSEC panic.
  - From: Matthew Dillon

[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index][Thread Index]